[Samba] getting NT_STATUS_LOGON_FAILURE

Bob of Donelson Trophy bob at donelsontrophy.net
Fri Jan 9 08:00:08 MST 2015 

 

On 2015-01-09 08:44, Rowland Penny wrote: 

> On 09/01/15 14:34, Bob of Donelson Trophy wrote:
> Now, more appropriately answering after the message. SEE BELOW, please. On 2015-01-09 07:24, L.P.H. van Belle wrote: Hai, Not entiraly correct.. change : dns-nameservers 208.67.222.222 <<<<<< have always struggled to dns-search dtshrm.lan dns-nameservers IP_OF_AD_DC and use : net rpc rights grant "YOUR_DOMAINNAMEDomain Admins" SeDiskOperatorPrivilege -UAdministrator -S NAME_OF_MEMBERSERVER Hope this helps you on the way, im out of the office now, going on ski holiday. Back in 9 days. Greetz, Louis -----Oorspronkelijk bericht----- Van: bob at donelsontrophy.net [mailto:samba-bounces at lists.samba.org] Namens Bob of Donelson Trophy Verzonden: vrijdag 9 januari 2015 14:04 Aan: SAMBA MailList Onderwerp: [Samba] getting NT_STATUS_LOGON_FAILURE I have been having issues with my W7 client "access is denied" to changing the security (user permissions) settings and have been posting regarding that issue yesterday. I have discovered that my "ads join member server" is not completely joine
 d (I
think.) I discovered a post from February 2014, by Louis "[Samba] member joined, but . . ." and ran some of his command line test strings and received similar results. Did some checking before moving forward: root at dtmember01:~# net ads testjoin Join is OK <<<<<<<<<<<< OK? Can't change permissions! root at dtmember01:~# net rpc rights list Enter root's password: Could not connect to server 127.0.0.1 <<<<<< why localhost? The username or password was not correct. Connection failed: NT_STATUS_LOGO

N

> _FAILURE <<<<<<< look root at dtmember01:~# cat /etc/hosts 127.0.0.1 localhost 192.168.16.55 dtmember01.dtshrm.lan dtmember01 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters root at dtmember01:~# cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet static address 192.168.16.55 netmask 255.255.255.0 network 192.168.16.0 broadcast 192.168.16.255 gateway 192.168.16.106 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 208.67.222.222 <<<<<< have always struggled with correct setting here dns-search dtshrm.lan Do I have anything set incorrectly? Then I ran these test string that were listed in the "member joined,
  but . .
." thread. root at dtmember01:~# net rpc rights list accounts -UadministratorEnter administrator's password: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE <<<<< hum-m-m-m!! root at dtmember01:~# net -S dtmember01 rpc rights list account -UadministratorEnter administrator's password: Could not connect to server dtmember01 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE root at dtmember01:~# net -S dtmember01.dtshrm.lan rpc rights list accounts -Uadministrator Enter administrator's password: BUILTINPrint Operators No privileges assigned BUILTINAccount Operators No privileges assigned BUILTINBackup Operators No privileges assigned BUILTINServer Operators No privileges assigned BUILTINAdministrators SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivile
 ge
<<<<<<

<<

> <<<< hum-m-m SeSecurityPrivilege SeSystemtimePrivilege SeShutdownPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege Everyone No privileges assigned root at dtmember01:~# net rpc rights grant 'DTDC01Domain Admins' SeDiskOperatorPrivilege -Uadministrator Enter administrator's password: Failed to grant privileges for DTDC01Domain Admins (NT_STATUS_ACCESS_DENIED) I tried to sort out the issues Louis was experiencing in his pam setup and realized that I had run his script against Debian 7.7.0 (newer than that available in February) and wondered if Debian (this version) pam files is the cause of the issue I am experiencing. Decided to post here and see what anyone thinks? Louis, a
 re yo

u

> there? -- ------------------------- Bob Wooden of Donelson Trophy 615.885.2846 (main) www.donelsontrophy.com [1] [1 [1]] [1 [1]] "Everyone deserves an award!!" Links: ------ [1] http://www.donelsontrophy.com [1] [1 [1]] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba [2] [2] Rowland, As you can see Louis is on a holiday. (Enjoy the snow, Louis.)

Yes, I noticed he was going downhill leg-breaking :-D

> I changed per his suggestions and have discovered that my lone W7 client does not have internet access? Should the W7 client use the MEMBER server ip address for it's "Preferred DNS server" or the address of my DC?

You need to point your clients at the DC, this is running a DNS server
which should know about ALL machines in AD.

I don't know if you noticed, but somebody else is having similar
problems, can you check if you have a file 'libnss_winbind.so.2'

Rowland

W7 client "Preferred DNS server" is set to my DC. 

My DC looks like this: 

root at dtdc01:~# cat /etc/resolv.conf
search dtshrm.local
domain dtshrm.local
nameserver 192.168.16.54
root at dtdc01:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
address 192.168.16.54
netmask 255.255.255.0
network 192.168.16.0
broadcast 192.168.16.255
gateway 192.168.16.106
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 208.67.222.222
dns-search dtshrm.local
root at dtdc01:~# cat /etc/hosts
127.0.0.1 localhost
192.168.16.54 dtdc01.dtshrm.lan dtdc01

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters 

Should the /etc/resolv.conf be resolving to itself? 

(I chuckled at you "panic" comment. lol) 

Fix this first, checking for 'libnss_winbind.so.2' is next on my list
for this morning. 
-- 

-------------------------

Bob Wooden of Donelson Trophy

615.885.2846 (main)
www.donelsontrophy.com [1]

"Everyone deserves an award!!"
 

Links:
------
[1] http://www.donelsontrophy.com
[2] https://lists.samba.org/mailman/options/samba

More information about the samba mailing list